I want to urge the staff to stop using the Cloudflare Proxy, it’s really dangerous for the company like you.
We should not forget what had happened earlier with Cloudflare and their data breach which made suffer all their end-users.
Even your rival companies do not use it.
I urge you guys to disable the proxy for your site (at least for vaults where user have there password stored)
Well, that’s dangerous to store the password on a website which has given access of its data to a third party service which already had data breaches in past.
Note: I am talking about the main website, not the self-hosted once.
I’ll discuss the team’s thoughts on this, but remember that all the data that crosses any hardware other than your own is always encrypted - and is useless to any man-in-the-middle data breach.
Thanks for the response,
But what if user kept a weak master password?
Then hacker just have to wait for the cloudflare’s data breach and that’s all. He already have the encrypted data and code of bitwarden (to know how exactly he can use master password to decrypt the data), now he just need to focus on bruteforcing the weak master password.
It was just an example and even if 0.1% users are in such category, then it should be a matter of concern.
The thing is…this isn’t really their problem. For example you have a physical vault/safe to store your money. If you leave it unlocked and get robbed, who is to blame? The company that made it or you?
All Bitwarden users have a surprisingly easy job to do: create a strong master password. Some 15-30 min research has to be done and you are good to go. One of the easiest ways is to use the diceware password system.
I thought the negotiation that occurs between client and server involves some type of session-based security so a replay attack isn’t possible even if there were snooping of decrypted https in the middle?
In any case, you seem to be concerned over a very specific and very unlikely attack vector: (1) Cloudflare gets hacked, (2) they’re hacked long enough for someone to snoop a large number of vaults, assuming replay is even possible, (3) they find the right username for the vault, (4) the user in question has a weak password, (5) that’s the one they choose to brute force.
If that’s the case, you should really be self hosting with your own on-premises hardware and not trusting Bitwarden cloud to begin with, as they could of course have other issues somewhere in the stack, like their own web servers, or the cloud service they’re hosted on, the storage their service resides on at the provider in question, etc.
Just think of the user’s mindset who will use such a weak password, will he/she ever take the pain in doing self-hosting?
I don’t think so. These are usually the non-tech guys.
And probably think that bitwarden is capable of even that.
Honestly that kind of user is probably not even using Bitwarden; probably using iCloud keychain, Firefox password sync, etc. which should be sufficient for them. Most people who seek out a password manager are not also going to knowingly use a horrible pass phrase. Corporate users who have Bitwarden mandated are the ones likely to have a horrible pass phrase, but hopefully they’re also self hosted, or the business entity has taken further steps to protect the data such as mandating two factor.
The system is designed to be safe in the case of a data breach. A security system designed around perfection will fail. Just a matter of time.
The transmission and storage of the data is a “solved” problem. The bigger issue is accessing that data. What is the threat model for using the clients? And by “client”, I don’t mean what Bitwarden has made, but if someone gains access to the distribution methods. eg someone hacks cloudflare and modifies files to include malicious code or the browser extension gets modified some how.
I don’t know what kind of security is around making sure the clients running in or on our browsers are official clients.
Not being an app developer myself, I’m curious about what kind of securities are in place to protect browser extension and Android/iOS code. We have always connected systems that are auto-updating, except maybe a desktop app.
We understand that the important data is encrypted in addition to the TLS encryption the point is that Cloudflare is breaking the HTTPS traffic and can see exactly the same you see on your servers.
So in addition to a possible breach of cloudflare, we have to trust in cloudflare as much as we trust on bitwarden and for something so sensible like password storage might not be good enough for many people if they were aware of this issue.
Ideally the traffic shoud be end to end encrypted, from my browser to your server without any man in the middle which is not the case. I don’t think that any of your competitors is using a man in the middle like cloudflare, and I can’t think any company trading with sensitive data using cloudflare, and I can tell you that in the financial sector these kind of services are banned.
I honestly think you should get rid of any mind in the middle solution for you traffic, I understand that it solves some performance and security issues but it add the problem we have mentioned.
For those not familiar with this problem please read:
Some of the facts
CloudFlare is a man-in-the-middle who sees all traffic including tunneled HTTPS traffic (and thus raw unhashed passwords!).
The gratis service also raises the question about how they are monetizing all that data they see and collect. They do not disclose to the public how they monetize that data.
Cloudflare shields criminal webmasters by hiding their IP address from the public. A website involved with crime often has other criminal websites on the same IP, but users who try to protect themselves cannot block the IP address of the malicious site.
CloudFlare’s immense centralization becomes catastrophic when a single bug emerges, like cloudbleed, which has unacceptable widespread consequences.
Cloudflare is potentially injecting javascript spyware into the traffic of their patrons to collect data (this is how cloudflare pays their bills).
CloudFlare deceives website visitors into believing their connection is secure (HTTPS & browser padlock) when in fact the user is MitMd.
No trustworthiness. CloudFlare has been caught making false statements to the public. CF said: “Why should I trust Cloudflare? You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers,” the first part of which is incorrect. CloudFlare sees all traffic traversing their servers in the clear, regardless of how secure the tunnel to them is. So of course CloudFlare requires your trust. The second statement about certificates is non-sequitur and irrelevant to the question of trust.
CloudFlare took a seat on the FCC’s Open Internet Advisory Committee, and serves its own interest (to influence legislation against net neutrality).
If I can see your traffic unencrypted like cloudflare does, I could use your auth token to get into your vault.
I can simply intercept the traffic and get the return in my browser.
I wouldn’t need to know you master password to do that.
Basically you trust in cloudflare as much as you trust in bitwarden, there is no difference in the data both can see from you.
Thanks everyone for your comments and concern on this topic!
Cloudfare (or a similar service) is a critical part of making infrastructure scalable and reliable for services like Bitwarden. It’s also leveraged for functions that allow us to protect our services from outside attacks, etc.
As far as Cloudfare getting into your vault, that’s not quite true. In any worst case scenario they could not decrypt vault data without your email and master password, and a few other pieces of the combination that are not the same as what is used to authenticate your session.
TL;DR - we use Cloudfare to bring a reliable cloud service to end users and take every precaution for security within our power. We do understand that this is not enough for some, and thus why self hosting is a huge part of our service model.
that changed JavaScript could send plaintext password of vault to attacker server via XHR
Extensions and native apps are not affected. But web vault is. And because not all functions are available in extensions/apps, sometimes users need to use web vault.
Most of web applications don’t have access to my bank account and emails. And my bank and email provider don’t use Cloudflare. Cloudflare administrator can get user and password to my bank without noticing. Just need to wait when I access my vault via WebVault. And because Cloudflare can send different JavaScrip to different users, nobody will spot that. Obviously it’s about trust. I trust BW, but why add another company with bad security reputation in past?
Do I have any chance to avoid any Cloudflare traffic with my Bitwarden cloud account?
Do I have to selfhost a Bitwarden server to avoid the Cloudflare traffic or do I have to change the sources to get rid of Cloudflare traffic while selfhosting?
As service provider it’s in your responsibility which underpinning services/ providers you use and I understand your decision to use Cloudflare from your point of view.
As non-US cititizen I avoid Cloudflare services where ever possible, esp. for any security related topics.
I understand BW dataflows/design and why Cloudflare doesn’t has access to my credentials stored in BW, but sharing any PII with Cloudflare (who, where, when, which devices, etc.) isn’t acceptable to me and outweights the benefits (DDoS resilence) you might see. @onovy attack vector is feasible to me - besides I see Cloudflare as adversary without additional attackers.
I was hoping I already found a successor for Lastpass after their tracker debacle, but now I have to evaluate selfhosting Bitwarden or look further.
Cloudflare is indeed an unavoidable part of our SaaS product infrastructure. We do believe that choice is critical in managing security, whether individually or for your teams/organizations, and so our self-hosting is of course available, sans-Cloudflare.
If Digital Ocean is an option for you, they have a nice droplet for Bitwarden, making deploying a self-hosted instance even easier.
Has there been any update on this? We shouldn’t be forced to use the web vault for specific things, but at the very least get rid of Cloudflare please…